Query Details

Initial Access, ISO/IMG File Mounted

ISOIMG Mount

Query

DeviceFileEvents
| where FileName endswith ".iso.lnk" or FileName endswith ".img.lnk"

Explanation

This query is designed to detect potential initial access threats by identifying when an ISO or IMG file is mounted on a device. These file types are often used in spearphishing attacks. The query specifically looks for file events where the file name ends with ".iso.lnk" or ".img.lnk". If such a file is found, it could indicate that a malicious attachment has been opened.

Details

Ali Hussein profile picture

Ali Hussein

Released: January 22, 2024

Tables

DeviceFileEvents

Keywords

Devices

Operators

endswithor

MITRE Techniques

Actions

GitHub